Monday, 10 December 2012

As there are so many changes we've decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).

This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.

In this post I'll give you an overview of the 3 GSoC projects, and an easy way to try them out if you cant wait for the full release.

New Spider (plus session awareness)

The current ZAP spider is showing its age.
It was inherited from the original Paros code, and is not as fast or effective as we would like.
Cosmin Stefan completely rewrote the spider, which is now much faster and more comprehensive than the old one.

This on its own would have been a great addition to ZAP.
But Cosmin also added session awareness to ZAP, so that ZAP can keep track of multiple sessions.
This extension allows you to switch between sessions on the fly as follows:

Login to the target application

Check to make sure the session is recognised in the Http Sessions tab

Click the "New Session" button

Select another page in your application - your browser should be logged out now

Login to the target application as another user

Both sessions will be active, so you can switch between then using ZAP without having to do anything in your browser

Note that the session awareness applies to all of the other ZAP tools, like the spider and active scanner, so you can easily run these tools in different sessions.

Ajax Spider using Crawljax

As mentioned above, the old spider wasnt really effective enough, so we've actually replaced it with 2 spiders!

Cosmin implemented a traditional spider, which analyses the HTML code for any links it can find. This is fast as works well with 'traditional' web applications. However its not so effective with Ajax applications which use a lot of javascript, so Guifre Ruiz has added an Ajax spider.

Software reuse is one of the core principles we try to follow when developing ZAP, so for this development Guifre made use of the Crawljax project.

The Ajax spider follows all of the links it can find via the browser, and so can discover any links an application generates, even ones generated client side via javascript.

This is a great compliment to Cosmin's spider, and means that ZAP will be able to effectively spider a very wide range of applications.

The current version of ZAP only managed to discover 10% of the links in the wivet test application. As you can see the next Ajax spider is much more effective:

WebSockets support

The first 2 projects were OWASP GSoC projects, but we also had a third GSoC project thanks to Mozilla.

Robert Kock enhanced ZAP to support WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser.

And as with HTTP based messages, ZAP can also intercept WebSocket messages and allow you to change them on the fly.

Not only that, but he also integrated the ZAP fuzzer, so you can fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files.

As far as I'm aware, this means that currently ZAP has better WebSockets support than any other security tool out there. So if you are performing a pentest on a app that uses WebSockets then you really need to use ZAP.

Try them now

These three projects are great additions to ZAP, and will form a very significant part of the new 2.0.0 release.

I've been very impressed by the quality of the work all three students produced, and they all required much less supervision than I or the other mentors expected.

I'd like to thank them again for all of their hard work, and am delighted that they are carrying on contributing to ZAP. I'd also like to thank to mentors who managed them, the other ZAP developers who supported then, and Google for organising such a great initiative.

And if you want to try out these projects, then you can do so right now :)

Guifre's Ajax Spider can be downloaded and added to ZAP 1.4 via the zap-extensions project.

And all 3 projects are included in the latest weekly release - so please try this out and let us know what you think!

Monday, 22 October 2012

I've been struggling with the question of ZAP releases.
We've made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our 'full' releases remain as robust and stable as possible.
I want to get the next full release (2.0.0) out of the door asap, but I still want to get a load more features into it.

So I've discussed this with the other ZAP developers, and we've decided to do weekly ZAP releases from the source trunk.
And thats starting today (Monday 22nd October) so theres a weekly release available now at:http://code.google.com/p/zaproxy/downloads/list

How do 'weekly' releases differ from the 'full' releases?

No installers, just one cross platform archive (ZIP)

No release notes, although we will put info about some features on the wiki and link to committed issues

No specific testing - they will be 'bleeding edge' - stuff may be broken

No guarantee that the help files will be up to date (although ideally it shouldnt be too far out)

They use a different default home directory to full releases, so they will not interfere with each other

Less localization (probably)

Who will these release be suitable for?

Anyone who wants to use the features we've added since 1.4.* but doesnt want the hassle of building ZAP from the source code

Anyone who would like to help test ZAP as its being developed

Who will these releases not be suitable for?

Anyone who has not used ZAP before (they would be better off with a full release)

Anyone building security distributions (ditto)

Anyone developing or extending ZAP (they should use the trunk)

What are some of the significant changes since the last full ZAP release?

Thursday, 13 September 2012

The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications.

My name is Simon Bennetts, and I am the ZAP Project Leader; there
is also an international group of volunteers who develop and support it.
Future posts on this blog will describe the features that ZAP provides and how you can use them,
but this post will concentrate on the philosophy behind ZAP.

Some of the ideals that have driven ZAP are listed below and will be expanded upon in the rest of this post:

help users develop and apply application security skills

build a competitive, open source, and community oriented platform

provide an extensible platform for testing

designed to be easy to use

raise the bar for other security tools

Helping users learn about Application Security

Unlike many security tools ZAP is designed to be used by people new to application security as well as security professionals.

My background is in development, and I started
playing around with the Paros Proxy (from which I forked ZAP) as a way
to learn about security tools. Helping people to learn about application
security has been, and will remain, an essential goal for ZAP.

The open nature of ZAP is key here – users can
delve into the code to see how it works. Anyone who thinks they can make
an improvement has the opportunity to implement those changes, feed
them back and be credited for them. Developers can work on ZAP to help
them learn about security, and security people can work on ZAP to help
them learn about coding.

An Open Source, Community based project

Like all OWASP projects, ZAP is open source and
completely free to use. This means that there is no ‘pro’ version, so
there is no incentive for us to hold back features for the ‘paid-for’
version. ZAP is also a community based project, which is an important
distinction when compared with some other tools.

There are many security tools that are open
source but are still tightly controlled by one individual or company.
While a user can see how these products work it is often difficult to
change them or influence their direction.

Anyone can get involved with the ZAP development –
once someone has shown that they can produce good quality code and
conform to ZAP guidelines then they can get commit access!

There are plenty of opportunities for non coders
to get involved too – testing, documentation, training videos,
translating – all contributions are welcomed and credited.

An Extensible platform for testing web applications

In addition to improving the core feature set for
ZAP, we are working to ensure that as much of ZAP functionality is
implemented as extensions or addons, which can easily be added to
existing ZAP releases. This means that new features can be added
dynamically without having to wait for full ZAP releases, and also means
that we can accommodate features that will only appeal to a small
subset of our users.

The ZAP community is very supportive of people
who want to learn about coding or security, and we have just benefited
from 3 students producing excellent enhancements to ZAP as part of the Google Summer of Code.

Ease of use as a design goal

We realize that developers and functional testers
will probably spend a relatively small amount of time using security
tools, so we want ZAP to be as intuitive as possible.

But we try to maintain a balance between making things as simple as possible while at the same time not over simplifying them.

While there is no ‘big red button’ in ZAP which will solve all of your security problems,

ZAP provides a set of automated tools which will help individuals assess the security of applications.

ZAP also provides a set of manual tools which can
be used by people with more knowledge, which is one of the reasons it
has been so enthusiastically adopted by professional pentesters.
Inexperienced users can start off using the automated tools and
gradually use more and more of the manual features as they improve their
knowledge of application security.

Raising the bar for security tools

Another way ZAP can help application security in
general is by raising the bar for other security tools, commercial or
otherwise. Other products are free to reuse our source code (with
acknowledgement;) and also free to copy or be ‘inspired’ by features
that are implemented in ZAP.

In fact we welcome such reuse as it will provide the following benefits:

improving other tools, which increases user choice

broadens the availability of effective security tools

allows feature parity across tools which will drive innovation and competition

Conclusion

In conclusion, ZAP is a free, open-source community developed tool
aimed at making the online world more secure. Anyone can get involved
developing the core engine, or by creating addons which have full access
to the core functionality. And that will probably sound vaguely
familiar as its very close to the philosophy behind Mozilla Firefox.

Its why I’m working for Mozilla as a security automation engineer, and the justification for this blog’s title:)

If you have any interest in application security then you should
download ZAP and try it out. And if you would like to learn more, or
help to make ZAP better then please get in touch with me.